Chinese character folder created at startup

Question

I'm running:

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:    16.04
Codename:   xenial

A folder, having Chinese characters, is created in my user's home directory at start up. Today, two folders were created:

drwx------  2 andre andre     4096 Sep 19 07:53 栯浯⽥湡牤⽥挮捡敨眯扥楫⽴捩湯慤慴慢敳뫛ᰌ㏸䖺ᮻ쏫쭴/
drwx------  2 andre andre     4096 Sep 19 07:57 栯浯⽥湡牤⽥挮捡敨眯扥楫⽴捩湯慤慴慢敳뫛疣㕲ᰰ냵調줟/

Both are empty.

I suspect that it is a virus. I've run clam and found nothing. I've run rootkit hunter and found nothing.

Almost all search results points to Malware for Windows and how to remove it.

Update:

• I've notice that the file /home/andre/.ssh/id_rsa.pub was modified two days ago - not sure if that is relevant
• Change PermitRootLogin prohibit-password to PermitRootLogin no in /etc/ssh/sshd_config

The following results:

hosts:

$ more /etc/hosts
127.0.0.1   localhost
127.0.1.1   Bilskirnir
10.100.0.11 dev2

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters    

prolife:

$ more /etc/profile

if [ "$PS1" ]; then
  if [ "$BASH" ] && [ "$BASH" != "/bin/sh" ]; then
    # The file bash.bashrc already sets the default PS1.
    # PS1='\h:\w\$ '
    if [ -f /etc/bash.bashrc ]; then
      . /etc/bash.bashrc
    fi
  else
    if [ "`id -u`" -eq 0 ]; then
      PS1='# '
    else
      PS1='$ '
    fi
  fi
fi

if [ -d /etc/profile.d ]; then
  for i in /etc/profile.d/*.sh; do
    if [ -r $i ]; then
      . $i
    fi
  done
  unset i
fi

.bashrc Doesn't seem to have changed. (Maybe too long to post here)

.bash_logout

more .bash_logout 

if [ "$SHLVL" = 1 ]; then
    [ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
fi

.profile

more .profile 

# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
    . "$HOME/.bashrc"
    fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:/usr/local/glassfish-4.1/bin:$HOME/scripts:/usr/local/netbeans-8.0.2/bin:$PATH"
fi
PATH="$HOME/Apps/TrID:/usr/local/glassfish-4.1/bin:$HOME/scripts:/usr/local/netbeans-8.0.2/bin:$PATH"

No unknown browser extensions.

Any advise?

Answer 1

I got the same problem and freaked out too.

A folder just like yours with almost the same chars appeared at the root of my home

I discovered the culprit turned out to be a RhythmBox plugin, the coverart-browse one in my case. As soon as I started the player that folder will create itself.

I just unistalled the plugin.

To do so, launch synaptic package manager, search for rhythmbox and there you will see the all the plugins you have installed. Select and uninstall the one causing you problems

else sudo apt-get remove rhythmbox-plugin-pluginToRemove

If I can fix it in the future I'll use this thread to let you know.

In your case It might be another software dumping a crash/call to attention into your home folder.

Cheers,

Answer 2

Remove these directories with ...

rm -rf 栯{tab}

(copy paste the 1st char an then hit {tab} or ...

rm -irf *

The -i will ask for confirmation and keep giving it an N (for No) for all other files and a Y (for Yes) for these 2 directories. Be careful with this and do not press Y for something you do not want to delete. Consider making a backup with ...

tar cvfz /tmp/home.backup.tar.gz /home

so you can restore any bad removes you did.

---

Files to check

 /etc/hosts
 /etc/profile
 /home/$USER/.bashrc
 /home/$USER/.bash_logout
 /home/$USER/.profile

Do a more {file} and visually check for anything related to this.

If the 1st 2 files contain this be wary: this means someone got your admin password since these can only be edited through sudo.

---

Also check the "statup applications" (from dash) for any script that gets started that you did not add yourself. Do not remove it before picking "edit" and write down what it starts if you find anything. Remove the entry and then also remove the script it starts. Post it into your question if you find anything though. That would probably help identifying any other related files.

---

Also check extensions. After removing these 2 without using a browser: reboot and check if they show up again. If so it will likely not be a browser extension. Start 1 browser and see if these reappear. Then close it and start any other browser you tend to use. You can also consider purging (sudo apt purge chromium for instance) your browser and re-install it (that will delete all settings too though).

Also: change your admin password. Preferably not from this session but use a live dvd or from grub (that way none of the scripts get parsed).

---

Before removing do a

sudo updatedb

and then a

locate 栯

and see if it finds the 2 directories (and anything else).